The Anomaly Detection in SMTP Traffic Based on Leaky Integrate-and-Fire Model

Introduction TheSMTP1]isusedasthebasisformost electronicmail.EmailisthemostpopularInternet servicenow2],anditallowspeopletocommuni-catebyexchangingelectronicmessagesglobally.Thesemessagescanbedeliveredinafewseconds toacoupleofhours.Anaddedattractionisthe relativelylowcostofsendinglargemessages.Combined,thesebenefitsgiveusersaconvincing argumentforaccesstoemail,andthustheconnec-tionoftheirsystemstotheInternet.SMTPisasimpleprotocolandcontainsonlya fewbasiccommands.Thereareseveralsecurity …

The Anomaly Detection in SMTP Traffic Based on Leaky Integrate-and-Fire Model

This paper investigated an effective and robust mechanism for detecting simple mail transfer protocol (SMTP) traffic anomaly. The detection method cumulates the deviation of current delivering status from history behavior based on a weighted sum method called the leaky integrate-and-fire model to detect anomaly. The simplicity of the detection method is that the method need not store history profile and low computation overhead, which makes the detection method itself immunes to attacks. The performance is investigated in terms of detection probability, the false alarm ratio, and the detection delay. The results show that leaky integrate-and-fire method is quite effective at detecting constant intensity attacks and increasing intensity attacks. Compared with the non-parametric cumulative sum method, the evaluation results show that the proposed detection method has shorter detection latency and higher detection probability.